Solved: Re: Log Exporter on R80.30 Standby SMS

gbasinski1 · ‎2021-03-17

Hi,

I configured Log Exporter on Standby SMS (there are reasons for this) and started the process, however when running tcpdump on the SMS, I don't see any traffic going out to the Destination Syslog Server.

What I did was:

1) Configured log_exporter

cp_log_export add name <NAME> target-server <Target IP> target-port 514 protocol tcp format cef

2) started the process

cp_log_export restart name <NAME>

3) tcpdump on the interface

No syslog going out.

[Expert@hostname:0]# cp_log_export show

name: <NAME>
enabled: true
target-server: <IP>
target-port: 514
protocol: tcp
format: cef
read-mode: raw
export-link: false
export-attachment-link: false
export-attachment-ids: Found

[Expert@hostname:0]# ps aux | grep log_exporter
admin 7663 0.1 0.3 148476 54132 ? SNsl 10:13 0:01 /opt/CPrt-R80.30/log_exporter/targets/<NAME>/log_exporter -export /opt/CPrt-R80.30/log_exporter/targets/<NAME>/targetConfiguration.xml

Note: I replaced actual name of the SYSLOG TARGET with <NAME> and actual IP address with <IP> in the output above.

This is R80.30 SMS JHT 215

The logs are present when checking in Smart Console.

Now, I can't see any reference in CP manuals nor in sk122323 to SMS High Availability and how it behaves in this environment. It might be that Log Exporter works only when the SMS has the active role. I can't do a failover right now to test this theory as this is subject to change management process. Does anybody have any experience with Log Exporter on Standby SMS?

Any help is appreciated.

Thanks

G

gbasinski1 · ‎2021-03-17

Hi,

Yes, I noticed the time stamp.

There is an issue with logging on this SMS, which will have to be investigated first.

Thank you for your help on this.

G

View solution in original post

S_E_ · ‎2021-03-17

Hi,

cp_log_export did work here on the standby MDS. At least with this settings:

(R80.30 T219)

Name: <REMOVED>
enabled: true
target-server: <IP REMOVED>
target-port: 514
protocol: udp
format: syslog
read-mode: raw
export-link: false
export-attachment-link: false
export-attachment-ids: Found

Just in case you just upgraded. Did you run these?

cp_log_export reconf

cp_log_export restart

Did you check /opt/CPrt-R80.30/log_exporter/targets/<YOURNAME>/log/log_indexer.elg

Regards

gbasinski1 · ‎2021-03-17

Hi,

Thanks for pointing me to /opt/CPrt-R80.30/log_exporter/targets/<YOURNAME>/log/log_indexer.elg

It turns out that there are errors during attempt to read the fw.log file

[17 Mar 14:27:51] CMappedBinaryFile::error opening file /opt/CPsuite-R80.30/fw1/log/fw.log
[17 Mar 14:27:51] CLogFile::Open2: error: open (/opt/CPsuite-R80.30/fw1/log/fw.log) for reading failed
[17 Mar 14:27:51] CpLogReader::Open: failed to open /opt/CPsuite-R80.30/fw1/log/fw.log

it appears that fw.log is empty:

#ls -lh
-rw-rw---- 1 admin root 0 Oct 22 03:48 fw.log

Although in SmartConsole it is possible to view the "fresh" traffic logs, I assume that these are pulled from the currently active SMS.

Regards,

G

S_E_ · ‎2021-03-17

hi,

just a side note.

-Time stamp of fw.log is October ??

Regards

gbasinski1 · ‎2021-03-17

Hi,

Yes, I noticed the time stamp.

There is an issue with logging on this SMS, which will have to be investigated first.

Thank you for your help on this.

G

Are you a member of CheckMates?

Log Exporter on R80.30 Standby SMS